ajax_session_reset.patch

Etienne Massip, 2011-03-14 12:48

Download (1.68 KB)

View differences:

public/javascripts/application.js (working copy)
299 299
	}
300 300
});
301 301

  
302
/* shows and hides ajax indicator */
302
/* 
303
 * 1 - registers a callback which copies the csrf token into the
304
 * X-CSRF-Token header with each ajax request.  Necessary to 
305
 * work with rails applications which have fixed
306
 * CVE-2011-0447
307
 * 2 - shows and hides ajax indicator
308
 */
303 309
Ajax.Responders.register({
304
    onCreate: function(){
310
    onCreate: function(request){
311
        var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
312

  
313
        if (csrf_meta_tag) {
314
            var header = 'X-CSRF-Token',
315
                token = csrf_meta_tag.readAttribute('content');
316

  
317
            if (!request.options.requestHeaders) {
318
              request.options.requestHeaders = {};
319
            }
320
            request.options.requestHeaders[header] = token;
321
          }
322

  
305 323
        if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
306 324
            Element.show('ajax-indicator');
307 325
        }
app/views/layouts/base.rhtml (working copy)
5 5
<title><%=h html_title %></title>
6 6
<meta name="description" content="<%= Redmine::Info.app_name %>" />
7 7
<meta name="keywords" content="issue,bug,tracker" />
8
<%= csrf_meta_tag %>
8 9
<%= favicon %>
9 10
<%= stylesheet_link_tag 'application', :media => 'all' %>
10 11
<%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>